We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IMO /api/status should deny anonymous access by default, ATM unauthenticated users can access /api/status when using security-kibana-plugin.
If I have understood status.allowAnonymous https://www.elastic.co/guide/en/kibana/current/settings.html correctly it should deny anonymous access to /api/status, /status and /api/stats by default.
OpenDistro secuirty-kibana-plugin have an undocumented variable opendistro_security.auth.unauthenticated_routes I guess here are the critical lines: https://github.com/opendistro-for-elasticsearch/security-kibana-plugin/blob/dec85706fa38e00a88f9b3292f452e97b2b071e7/server/index.ts#L72 https://github.com/opendistro-for-elasticsearch/security-kibana-plugin/blob/dec85706fa38e00a88f9b3292f452e97b2b071e7/server/index.ts#L78
opendistro_security.auth.unauthenticated_routes
IMO the unauthenticated_routes should either not exists or the default value should be []. I don’t understand why it was changed in https://github.com/opendistro-for-elasticsearch/security-kibana-plugin/pull/167 .
Here is an example of the information that is leaked through this path https://demo.elastic.co/api/status .
In the security scans that was ran against my installation this was categorised as a “weakness” .
The text was updated successfully, but these errors were encountered:
@oscarkraemer Thanks for reporting this!
the status API is registered at https://github.com/elastic/kibana/blob/v7.9.1/src/legacy/server/status/routes/api/register_status.js#L28 , and the status.allowAnonymous is being used at https://github.com/elastic/kibana/blob/v7.9.1/src/legacy/server/status/wrap_auth_config.js#L22 . So based on the current security plugin implementation, override the opendistro_security.auth.unauthenticated_routes to [] in kibana.yml should enable auth for the status API.
status.allowAnonymous
[]
kibana.yml
this is default setting inherited from the old version of security plugin https://github.com/opendistro-for-elasticsearch/security-kibana-plugin/blob/master/index.js#L44 . We need to learn why they set status API into default unauthenticated routes from the old plugin author.
Sorry, something went wrong.
Hi @zengyan-amazon, Why was this closed? Have something change in the last upgrade that resolves this issue? Cheers, Oscar
No branches or pull requests
IMO /api/status should deny anonymous access by default, ATM unauthenticated users can access /api/status when using security-kibana-plugin.
If I have understood status.allowAnonymous https://www.elastic.co/guide/en/kibana/current/settings.html correctly it should deny anonymous access to /api/status, /status and /api/stats by default.
OpenDistro secuirty-kibana-plugin have an undocumented variable
opendistro_security.auth.unauthenticated_routes
I guess here are the critical lines:https://github.com/opendistro-for-elasticsearch/security-kibana-plugin/blob/dec85706fa38e00a88f9b3292f452e97b2b071e7/server/index.ts#L72
https://github.com/opendistro-for-elasticsearch/security-kibana-plugin/blob/dec85706fa38e00a88f9b3292f452e97b2b071e7/server/index.ts#L78
IMO the unauthenticated_routes should either not exists or the default value should be []. I don’t understand why it was changed in https://github.com/opendistro-for-elasticsearch/security-kibana-plugin/pull/167 .
Here is an example of the information that is leaked through this path https://demo.elastic.co/api/status .
In the security scans that was ran against my installation this was categorised as a “weakness” .
The text was updated successfully, but these errors were encountered: